The UK's Department of Transport is warning that more needs to be done to address cyber security in the maritime industry

The British government has announced a new cyber security code of practice for ships.

It warned that with the development of autonomous and partly-autonomous vessels, the industry is potentially “more vulnerable to cyber attacks”.

Speaking at the launch of the code of practice at London International Shipping Week, the Parliamentary Under-Secretary at the Department for Transport, Lord Callanan, said in some areas, maritime companies continue to “rely on legacy systems using old software and aging operational technology”.

“This has the potential to make the industry more vulnerable to cyber attacks.And the implications of such vulnerabilities could be highly damaging,” stressed the minister.

“Poor cyber security undermines customer confidence and industry reputation, and could potentially result in severe financial losses or penalties, and litigation affecting the companies involved,” added Lord Callanan.

He also warned that a cyber attack could result in “criminal activity, including kidnap, piracy, fraud, theft of cargo, or imposition of ransomware”.

Continues below…

The concern is also that if a ship’s navigation system is taken over, it could be sailed off course, run aground or be programmed to hit another ship.

In June, the Danish shipping company, Maersk, fell victim to the NotPetya cyber attack, which is estimated to have cost the firm up to $300 million in lost revenue.

The ransomware attack prevented people from accessing their data unless they paid a certain fee in bitcoin.

A ship carrying containers

Maersk lost up to $300 million when it fell victim to the NotPetya cyber attack. Credit: Łukasz Golowanow/Wikimedia Commons

Lord Callanan said NotPetya “showed that the industry is vulnerable to these type of attacks”.

The new ship cyber security code of practice is aimed at both small and large ship operators, ship owners and crew members.

It aims to help these firms to:

  • develop a cyber security assessment and plan;
  • devise the most appropriate mitigation measures;
  • ensure the correct structures, roles, responsibilities and processes are in place and
  • manage security breaches and incidents.

It also highlights the key national and international standards and regulations that should be reviewed and followed.

The new code was put together by the Institution of Engineering and Technology (IET), with input from the Maritime and Coastguard Agency, the Marine Accident and Investigation Branch, the MoD’s Defence Science and Technology Laboratory, and the National Cyber Security Centre.

The IET was also responsible for last year’s cyber security code of practice for ports and port systems.

The code aims to complement the work being done by the International Maritime Organisation (IMO) to raise awareness of cyber threats and vulnerabilities.